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Executive summary 


Audit Methodology 


The Information Commissioner is responsible for enforcing and promoting compliance with data protection 
legislation, as well as the Freedom of Information Act 2000 (FOIA) and Environmental Information Regulations (EIR). 
Section 47 of the FOIA provides provision for the Commissioner to assess whether a public authority is following 
good practice, including compliance with the requirements of this Act and the provisions of the codes of practice 
under sections 45 and 46. The ICO sees auditing as a constructive process with real benefits for controllers and so 
aims to establish a participative approach. 


The purpose of the audit is to provide the Information Commissioner and the Department of Agriculture, 
Environment and Rural Affairs (DAERA) with an independent assurance of the extent to which the information 
handling practices of DAERA, within the scope of this agreed audit, conform with the codes of practices under 
sections 45 and 46 of the FOIA. 


DAERA agreed to a consensual audit by the ICO of its compliance with the FOIA. An introductory telephone meeting 
was held on 7 September 2020 with representatives of DAERA to discuss the scope of the audit. 


It was agreed that the audit would focus on the following area(s): 


NY of 0) ol <x =f] Description 


Freedom of Information The extent to which the information handling practices of DAERA, within the scope 
of this agreed audit, conform with the codes of practices under sections 45 and 46 
of the FOIA. 
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Audits are conducted following the Information Commissioner’s data protection audit methodology. The key 
elements of this are normally a desk-based review of selected policies and procedures, on-site visits including 
interviews with selected staff, and an inspection of selected records. 


However, due to the outbreak of Covid-19, and the resulting restrictions on travel, this methodology was no longer 
appropriate. Therefore DAERA agreed to continue with the audit on a remote basis. A desk based review of 
selected policies and procedures and remote telephone interviews were conducted 13 October to 16 October 2020. 
The ICO would like to thank DAERA for its flexibility and commitment to the audit during difficult and challenging 
circumstances. 


Where weaknesses were identified recommendations have been made, primarily around enhancing existing 
processes to facilitate compliance with the relevant legislation. In order to assist DAERA in implementing the 
recommendations each has been assigned a priority rating based upon the risks that they are intended to address. 
The ratings are assigned based upon the ICO’s assessment of the risks involved. DAERA’s priorities and risk 
appetite may vary and, therefore, they should undertake their own assessments of the risks identified. 


Audit Summary 


Audit Scope area Assurance Overall Opinion 


Rating 

There is a reasonable level of assurance that processes and 
procedures are in place and are delivering freedom of 
information compliance. The audit has identified some scope for 
improvement in existing arrangements to reduce the risk of non- 
compliance with the relevant legislation. 


Freedom of Information 


*The assurance ratings above are reflective of the remote audit methodology deployed at this time and the rating may not necessarily represent a comprehensive 
assessment of compliance. 
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Priority Recommendations 


All scope areas 
Breakdown of priority recommendations 


= Low 
= Medium 
m High 
E Urgent 


1 


Freedom of Information 
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Graphs and Charts 


Freedom of Information 
Assurance Rating Summary 


-N 
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Areas for Improvement 


e DAERA should ensure that all staff receive mandatory training content on FOI and EIR requests which should 
be refreshed on an annual basis. A forum should be created for staff who process requests (Decision Makers 
and Main Decision Makers), to share best practice, continue refresher training on key topics and to provide 
feedback on policy and procedures. 


e Departmental information governance groups should monitor FOI and EIR compliance and adherence to 
records management policies and procedures. This will help to promote a more holistic approach to the 
management of information risk. 


e The Data Protection and Information Management Branch should implement an evidence-based approach to 
gain assurance from Information Assets Owners. This is to make sure that risks around information assets 
are being adequately managed and Northern Ireland Civil Service (NICS) and DAERA policies on information 
risk and records management are correctly implemented and adhered to. 


e DAERA should conduct a formal information audit and data flow mapping exercise in key business areas. 
This will help to identify what records should be created and retained and reconcile this against information 
assets registers and file plans. The exercise will also help to identify any gaps in records management 
policies or procedures. 


e The draft Retention and Disposal Schedule did not always provide a reason or justification for the retention 
period for all types of records. The draft schedule should be updated to include this additional information at 
next review to ensure compliance with the s.46 Code of Practice, GDPR and DPA18. 
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Disclaimer 
The matters arising in this report are only those that came to our attention during the course of the audit and are 
not necessarily a comprehensive statement of all the areas requiring improvement. 


The responsibility for ensuring that there are adequate risk management, governance and internal control 
arrangements in place rest with the management of DAERA. 


We take all reasonable care to ensure that our audit report is fair and accurate but cannot accept any liability to 
any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it 
arising out of, or in connection with, the use of this report, however such loss or damage is caused. We cannot 
accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining 
from acting as a result of any information contained in this report. 


This report is an exception report and is solely for the use of DAERA. The scope areas and controls covered by the 
audit have been tailored to DAERA and, as a result, the audit report is not intended to be used in comparison with 
other ICO audit reports. 
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